Wednesday, September 10, 2014

JP Morgan Chase Hack Attack – The Analysis

Not just JP Morgan Chase, but at least four other banks were
struck by hackers in a series of well-planned and coordinated attacks recently.
This was according to the people briefed on an ongoing investigation into the
perpetrated crimes. The hackers not just infiltrated the networks of the banks
but also successfully siphoned off with Gigabytes of data, including the
savings and checking account information.

Normally, when we analyze any hack attack or hack attempt,
the first question which pops into our mind, is how was it carried out? However,
many of the organizations are not forthcoming into specifying the exact method
as to how their IT security was breached and how their costly security
appliances were caught napping.

The same is true in this case also, nothing much has been
divulged. All we know that along with JP Morgan Chase, at least four others
were breached. It is possible to understand that one bank was breached but more
than four? This count itself is enough to summarize that there is some other
entity involved, a common entity which has access to all these banks. In the
past too, we have seen the involvement of a third party which has led to the
downfall, and we are pretty much sure that in this case too, the scenario
should not be much different.

Most of the big organizations may have the best of the
security appliances and an ensemble of security experts working at their
behest. However, when it comes to extending their security cover to the very
entities to whom these organizations have outsourced much of their sensitive
data-related tasks, there seems to be a gray area. It is this very gray area
which hackers have been attacking with quite a huge success rate.

Is it the lack of finances or plain simple ignorance? In
order to save a few millions of dollars and a few HR related headaches, organizations
prefer to outsource numerous tasks, which in reality is a huge business. On the
other hand, when we look at the cons, one data breach will simply wipe out the
entire organization or will at the least wipe out the profits accrued through
outsourcing.

There have been numerous instances when the third party
itself exhibited a lackadaisical attitude when it comes to incorporating
security, security advisories or an apt attitude towards following of security
norms.

Outsourcing provides great opportunities. However, all the
concerned parties have to understand the fact that security is as strong as the
weakest link.

Whenever a third party has been attacked, it has always been
due to spear phishing, malware/Trojan or a web-based vulnerability. However, from
the perspective of IDS/IPS, when we take a closer look into the method of
attack, all the perceived form of attacks are supposed to trigger an alarm
unless and until either they have been shutdown or a Zero-day has been used.

It is highly unlikely that a Zero-day has been used in this
attack due to the sheer fact that more than one bank was breached and the
possibility of all banking networks having the same vulnerability is next to
zero.

Secondly, a lot of questions arise when we realize that
Gigabytes of data was siphoned off. Security alerting systems of the present
day are highly advanced so as to detect any anomalous bandwidth usage and it is
surprising to note that the attack was detected after huge chunks of data was
transferred. Few questions which come into our minds are;

1: Did the alerting systems issue an alert which was later
on dismissed as a false positive?

Or

2: Did the attackers stay well under the radar, which would
again raise more questions about the timeline?

Or

3: Did the hackers know about the internal security, so as
to remain undetected for such a long period of time which not only allowed them
to transfer data but also able to gain foot hold into the internal network?

It comes as a surprise to know that organizations to the
likes of JP Morgan Chase, which in all probability has millions of dollars
worth of Cyber Security annual budget, getting hit by a breach.

The common notion as theorized by Patricia Wexler, spokesperson
of JP Morgan Chase that “Companies of our size unfortunately experience cyber-attacks
nearly every day” is quite true, however security is in knowing that even the
smallest whimper is to be given appropriate attention. Say for example, we are
working in a noisy environment. After a few minutes of staying in that noise,
we become immune to that noise. In this scenario the noise is related to the
alerts, had the administrators become immune to these daily chitter chatter of
alerts from the constant attacks or they were specifically chided by their
peers to report only in case of any eventuality as was the case with the boy
who cried wolf?

Last, but not the least, a few months back, during December 2013;
it was revealed that JP Morgan was hit by a data breach in which they had
warned almost half a million pre-paid cash card customers that their personal
information may be at risk. Two incidents in a space of six months is huge
failure of the security mechanism.

We simply hope that JP Morgan Chase and the investigating
agencies reveal to us the exact version of what has happened and how it
happened, as this is the only way towards implementing better security
practices. Whether they may or may not be followed is a different question
altogether.